add concept of private flake inputs

Inputs can now be declared without propagating to a consumers lock file
by adding inputs to the flake in the private sub directory.

The inputs defined here can be managed just like other flake inputs.

The narHash in the main flake.nix for the private inputs must be
updated anytime the private flake is touched.

.envrc

@@ -6,5 +6,5 @@
 [ -f .envrc.local ] && source_env .envrc.local
 DEVSHELL_TARGET=${DEVSHELL_TARGET:-default}
 
-. "$(nix eval .#__std.direnv_lib)"
+. "$(nix eval --no-write-lock-file --no-update-lock-file .#__std.direnv_lib)"
 use std nix "//automation/devshells:${DEVSHELL_TARGET}"

flake.nix

@@ -1,61 +1,37 @@
 {
   description = "Flake containing Bitte clusters";
-  inputs.std.url = "github:divnix/std";
-  # 21.11 doesn't yet fullfill all contracts that std consumes
-  # inputs.std.inputs.nixpkgs.follows = "nixpkgs";
-  inputs.n2c.url = "github:nlewo/nix2container";
-  inputs.data-merge.url = "github:divnix/data-merge";
-  inputs.capsules.url = "github:input-output-hk/devshell-capsules";
-  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
-    nixpkgs-docker.url = "github:nixos/nixpkgs/ff691ed9ba21528c1b4e034f36a04027e4522c58";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-
-    nix.url = "github:nixos/nix/2.8.1";
-    agenix.url = "github:ryantm/agenix";
-    agenix-cli.url = "github:cole-h/agenix-cli";
-    ragenix.url = "github:yaxitech/ragenix";
-    deploy.url = "github:input-output-hk/deploy-rs";
-
-    terranix.url = "github:terranix/terranix";
-    terranix.inputs.nixpkgs.follows = "blank";
-
-    utils.url = "github:numtide/flake-utils";
-    blank.url = "github:divnix/blank";
-
-    nomad-driver-nix.url = "github:input-output-hk/nomad-driver-nix";
 
-    # Vector >= 0.20.0 versions require nomad-follower watch-config format fix
-    nomad-follower.url = "github:input-output-hk/nomad-follower";
-
-    fenix = {
-      url = "github:nix-community/fenix";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
+  # --- Public Inputs --------
+  # intended to defer locking to the consumer
+  inputs = {
+    nixpkgs.url = "nixos-21_11";
+    nixpkgs-unstable.url = "nixpkgs-unstable";
+    nix.url = "nix-2_10";
 
     ops-lib = {
-      url = "github:input-output-hk/ops-lib";
+      url = "ops-lib";
       flake = false;
     };
-
-    # DEPRECATED: will be replaces by cicero soon
-    hydra.url = "github:kreisys/hydra/hydra-server-includes";
-    hydra.inputs.nix.follows = "nix";
-    hydra.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = {
     self,
-    hydra,
     nixpkgs,
     nixpkgs-unstable,
-    utils,
-    deploy,
-    ragenix,
     nix,
-    fenix,
     ...
-  } @ inputs:
+  } @ pub: let
+    inherit (inputs) std utils;
+
+    priv = (import ./lib/call-flake.nix) {
+      type = "path";
+      path = ./private;
+      # needs to be updated any time private inputs are touched
+      narHash = "sha256-WpyvDOGanWmgh1bk/KF8L0SL/wkJq9oB6aswlIDtNRs=";
+    } {};
+
+    inputs = priv.inputs // pub;
+  in
     inputs.std.growOn {
       inherit inputs;
       cellsFrom = ./nix;
@@ -86,10 +62,8 @@
     # soil -- TODO: remove soil
     (let
       overlays = [
-        fenix.overlay
-        nix.overlay
-        hydra.overlay
-        deploy.overlay
+        inputs.hydra.overlay
+        # inputs.deploy.overlay
         localPkgsOverlay
         terraformProvidersOverlay
         (_: prev: {inherit (self.packages."${prev.system}") bitte;})

lib/call-flake.nix

@@ -0,0 +1,17 @@
+let
+  url = "https://raw.githubusercontent.com/NixOS/nix/0c62b4ad0f80d2801a7e7caabf20cc8e50182540/src/libexpr/flake/call-flake.nix";
+  callFlake = import (builtins.fetchurl {
+    inherit url;
+    sha256 = "sha256:1dmi01s1g3mnvb098iik3w38fxmkwg1q1ajk7mwk83kc5z13v2r7";
+  });
+in
+  # flake can either be a flake ref expressed as an attribute set or a path to source tree
+  flake: {
+    # subdir of source root containing the flake.nix
+    dir ? "",
+  }: let
+    src = builtins.fetchTree flake;
+  in
+    if dir == ""
+    then callFlake (builtins.readFile "${src}/flake.lock") src dir
+    else callFlake (builtins.readFile "${src}/${dir}/flake.lock") src dir

lib/default.nix

@@ -5,6 +5,7 @@
   inherit (inputs) nixpkgs deploy;
   bitte = inputs.self;
 in rec {
+  callFlake = scopedImport {inherit (inputs) nix;} ./call-flake.nix;
   terralib = import ./terralib.nix {inherit lib nixpkgs;};
 
   warningsModule = import ./warnings.nix;
@@ -19,7 +20,10 @@ in rec {
   mkBitteStack =
     import ./mk-bitte-stack.nix {inherit mkCluster mkDeploy lib nixpkgs bitte;};
   mkDeploy = import ./mk-deploy.nix {inherit deploy lib;};
-  mkSystem = import ./mk-system.nix {inherit nixpkgs bitte;};
+  mkSystem = import ./mk-system.nix {
+    inherit nixpkgs bitte;
+    priv = inputs;
+  };
   mkVaultResources = kv.mkVaultResources;
   mkConsulResources = kv.mkConsulResources;
 

lib/mk-system.nix

@@ -1,6 +1,7 @@
 {
   nixpkgs,
   bitte,
+  priv,
 }: {
   pkgs,
   # Different mkSystem service levels:
@@ -26,7 +27,7 @@
         ++ modules;
       specialArgs = {
         inherit nodeName self inputs;
-        inherit (bitte.inputs) terranix nomad-driver-nix nomad-follower;
+        inherit (priv) terranix nomad-driver-nix nomad-follower;
         bittelib = bitte.lib;
         inherit (bitte.lib) terralib;
       };

nix/automation/devshells.nix

@@ -30,7 +30,6 @@ in {
       capsules.base
       capsules.tools
       capsules.integrations
-      capsules.hooks
     ];
   };
   cli = std.lib.mkShell {

overlay.nix

@@ -12,6 +12,7 @@ in
     rec {
       nixFlakes = nixUnstable;
       nixUnstable = builtins.throw "use pkgs.nix directly";
+      inherit (inputs.nix.packages.${prev.system}) nix;
 
       # Packages specifically needing an unstable nixpkgs pinned latest available version
       inherit